CVE-2026-15681 in AnyDesk
Summary
by MITRE • 07/14/2026
AnyDesk Screen Recording Link Following Denial-of-Service Vulnerability. This vulnerability allows local attackers to create a denial-of-service condition on affected installations of AnyDesk. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the handling of screen recording files. By creating a junction, an attacker can abuse the service to create arbitrary files. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-26591.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/14/2026
This vulnerability represents a critical denial-of-service weakness in AnyDesk screen recording functionality that stems from improper file handling mechanisms within the software's service architecture. The flaw specifically manifests when the application processes screen recording files, creating opportunities for local attackers to manipulate the system's file creation processes through symbolic link manipulation techniques. The vulnerability was identified as ZDI-CAN-26591 and demonstrates a fundamental security gap in how the application manages file system operations during screen recording sessions.
The technical exploitation of this vulnerability requires an attacker to first establish a foothold with low-privileged user access on the target system, which then enables them to create malicious junction points that can be leveraged against the AnyDesk service. This particular flaw exists within the file handling subsystem where the application fails to properly validate or sanitize file paths during screen recording operations, allowing for arbitrary file creation through crafted symbolic links. The vulnerability operates at the intersection of privilege escalation and denial-of-service attack vectors, making it particularly dangerous in environments where local user access might be compromised.
From an operational impact perspective, this vulnerability can severely disrupt business continuity by rendering the AnyDesk service unavailable to legitimate users who require remote desktop functionality. The denial-of-service condition affects not only the screen recording capabilities but can potentially extend to broader system availability issues if the service becomes unresponsive or crashes entirely. Attackers can exploit this weakness to repeatedly crash the AnyDesk process, forcing administrators to restart services manually and potentially causing temporary loss of remote access capabilities for users who depend on the platform.
The vulnerability's classification aligns with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-400 (Uncontrolled Resource Consumption), as it enables attackers to manipulate file paths and consume system resources through excessive file creation operations. From an ATT&CK framework perspective, this vulnerability maps to T1499.004 (Toggle Cloud Service Logging) and T1566.002 (Phishing via Social Engineering) in the context of initial access, while representing a local execution vector under T1068 (Local Privilege Escalation) when attackers can leverage it to gain elevated system control. Organizations should implement immediate mitigations including restricting user privileges on systems running AnyDesk, monitoring for suspicious file creation patterns, and applying vendor-provided patches as soon as they become available to prevent exploitation of this persistent vulnerability that undermines the fundamental reliability of remote desktop services.
This weakness fundamentally compromises the integrity of the screen recording functionality by allowing attackers to manipulate the underlying file system operations through symbolic link manipulation. The implementation error occurs when AnyDesk fails to properly validate file paths, particularly when processing junction points that can be created by local users with minimal privileges. This creates an attack surface where malicious actors can exploit the service's trust in local file operations to trigger resource exhaustion or system instability. The vulnerability represents a classic example of insufficient input validation and path traversal protection mechanisms within desktop application security models. Organizations should consider implementing additional monitoring controls around file system changes, particularly around directories used for screen recording operations, as well as establishing proper access controls that limit user capabilities to prevent exploitation of this class of vulnerability that affects enterprise remote desktop solutions.